Synchronized taking of snapshot memory images of virtual machines and storage snapshots

ABSTRACT

A system for providing prior operation states of a virtual machine in a storage system having at least one storage array is provided. It may be determined that a trigger for taking a snapshot image of the virtual machine and a snapshot of a storage array state has occurred. The snapshot image of the virtual machine may be taken. The snapshot of the storage array state may be taken. The snapshot image of the virtual machine and the snapshot of the storage array state may be made available for subsequent access to rollback the virtual machine and storage array state to a prior state.

TECHNICAL FIELD

This application is related to the field of data storage and, moreparticularly, to systems for managing data sharing over one or morenetworks.

BACKGROUND OF THE INVENTION

In current storage networks, and particularly storage networks includinggeographically remote directors (or nodes) and storage resources,preserving or reducing bandwidth between resources and directors whileproviding optimized data availability and access is highly desirable.Data access may be localized, in part, to improve access speed to pagesrequested by host devices. Caching pages at directors provideslocalization, however, it is desirable that the cached data be keptcoherent with respect to modifications at other directors that may becaching the same data. An example of a system for providing distributedcache coherence is described in U.S. Patent App. Pub. No. 2006/0031450to Unrau et al., entitled “Systems and Methods for Providing DistributedCache Coherency,” which is incorporated herein by reference. Othersystems and techniques for managing and sharing storage array functionsamong multiple storage groups in a storage network are described, forexample, in U.S. Pat. No. 7,266,706 to Brown et al. entitled “Methodsand Systems for Implementing Shared Disk Array Management Functions,”which is incorporated herein by reference.

Data transfer among storage devices, including transfers for datareplication or mirroring functions, may involve various datasynchronization processing and techniques to provide reliable protectioncopies of data among a source site and a destination site. Insynchronous transfers, data may be transmitted to a remote site and anacknowledgement of a successful write is transmitted synchronously withthe completion thereof. In asynchronous transfers, a data transferprocess may be initiated and a data write may be acknowledged before thedata is actually transferred to directors at the remote site.Asynchronous transfers may occur in connection with sites locatedgeographically distant from each other. Asynchronous distances may bedistances in which asynchronous transfers are used because synchronoustransfers would take more time than is preferable or desired.Particularly for asynchronous transfers, it is desirable to maintain aproper ordering of writes such that any errors or failures that occurduring data transfer may be properly identified and addressed such that,for example, incomplete data writes be reversed or rolled back to aconsistent data state as necessary. Reference is made, for example, toU.S. Pat. No. 7,475,207 to Bromling et al. entitled “Maintaining WriteOrder Fidelity on a Multi-Writer System,” which is incorporated hereinby reference, that discusses features for maintaining write orderfidelity (WOF) in an active/active system in which a plurality ofdirectors (i.e. controllers and/or access nodes) at geographicallyseparate sites can concurrently read and/or write data in a distributeddata system. Discussions of data ordering techniques for synchronous andasynchronous data replication processing for other types of systems,including types of remote data facility (RDF) systems produced by EMCCorporation of Hopkinton, Mass., may be found, for example, in U.S. Pat.No. 7,613,890 to Meiri, entitled “Consistent Replication Across MultipleStorage Devices,” U.S. Pat. No. 7,054,883 to Meiri et al., entitled“Virtual Ordered Writes for Multiple Storage Devices,” and U.S. patentapplication Ser. No. 12/080,027 to Meiri et al., filed Mar. 31, 2008,entitled “Active/Active Remote Synchronous Mirroring,” which are allincorporated herein by reference and are assigned to the assignee of thepresent application.

In an active/active storage system, if there are multiple interfaces toa storage device, each of the interfaces may provide equal access to thestorage device. With active/active storage access, hosts in differentlocations may have simultaneous read/write access via respectiveinterfaces to the same storage device. Various failures in anactive/active system may adversely impact synchronization and hinder theability of the system to recover. Especially problematic are failurescenarios in active/active storage systems involving asynchronous datatransmissions.

Accordingly, it would be desirable to provide an effective and efficientsystem to address issues like that noted above for a distributed storagesystem, particularly in an active/active storage system.

SUMMARY OF THE INVENTION

According to the system described herein, a method for providingmobility of a virtual machine between a first site and a second site ofan active/active system is disclosed. For a virtual machine operating onthe first site, it may be determined that the second site is adestination site between the first site and the second site. While thevirtual machine is operating on the first site, storage data may betransferred from the first site to the second site. Operation of thevirtual machine may be suspended on the first site. Operation of thevirtual machine may be resumed on the second site. In the event of linkfailure between the first site and the second site, operation of thevirtual machine may be maintained on the second site. Determining thatthe second site is the destination site may occur in response to adetermination that at least one additional failure will result in a lackof resources to maintain operation of the virtual machine. Thedestination site may be indicated by a user. The virtual machine may betransferred from the first site to the second site by transferring animage of the virtual machine from the first site to the second site.Each of the first site and second site may include at least one hostcluster, at least one director cluster and at least one storage array.The second site may be located remotely from the first site across anasynchronous distance. Following a failure, the active/active system maytransition to an active/passive system.

According further to the system described herein, a non-transitorycomputer readable medium stores software for providing mobility of avirtual machine between a first site and a second site of anactive/active system. The software may include executable code that, fora virtual machine operating on the first site, determines that thesecond site is a destination site between the first site and the secondsite. Executable code may be provided that, while the virtual machine isoperating on the first site, transfers storage data from the first siteto the second site. Executable code may be provided that suspendsoperation of the virtual machine on the first site. Executable code maybe provided that resumes operation of the virtual machine on the secondsite. Executable code may be provided that, in the event of link failurebetween the first site and the second site, maintains operation of thevirtual machine on the second site. The executable code that determinesthat the second site is the destination site may perform in response toa determination that at least one additional failure will result in alack of resources to maintain operation of the virtual machine. Thedestination site may be indicated by a user. The virtual machine may betransferred from the first site to the second site by executable codethat transfers an image of the virtual machine from the first site tothe second site. Each of the first site and second site may include atleast one host cluster, at least one director cluster and at least onestorage array. The second site may be located remotely from the firstsite across an asynchronous distance. Following a failure, theactive/active system may transition to an active/passive system.

According further to the system described herein, an active/activesystem includes a first site and a second site located remotely from thefirst site. Each of the first site and the second site may include atleast one host cluster, at least one director cluster, and at least onestorage array. A computer readable medium of the host cluster and/or thedirector cluster may store software for providing mobility of a virtualmachine between the first site and the second site. The software mayinclude executable code that, for the virtual machine operating on thefirst site, determines that the second site is a destination sitebetween the first site and the second site. Executable code may beprovided that, while the virtual machine is operating on the first site,transfers storage data from the first site to the second site.Executable code may be provided that suspends operation of the virtualmachine on the first site. Executable code may be provided that resumesoperation of the virtual machine on the second site. Executable code maybe provided that, in the event of link failure between the first siteand the second site, maintains operation of the virtual machine on thesecond site. The executable code that determines that the second site isthe destination site may perform in response to a determination that atleast one additional failure will result in a lack of resources tomaintain operation of the virtual machine. The destination site may beindicated by a user. The virtual machine may be transferred from thefirst site to the second site by executable code that transfers an imageof the virtual machine from the first site to the second site. Thesecond site may be located remotely from the first site across anasynchronous distance. Following a failure, the active/active system maytransition to an active/passive system.

According further to the system described herein, a method for operatinga virtual machine using a first site and a second site of anactive/active system is provided. A host cluster and a director clustermay be identified at each of the first site and the second site. A firstlink may be provided between the host cluster of the first site and thehost cluster of the second site. A second link may be provided betweenthe director cluster of the first site and the director cluster of thesecond site, the first link being different from the second link. Avirtual machine may be operated on the first site. While the virtualmachine is operating on the first site, storage data may be transferredfrom the first site to the second site. An image of the virtual machinemay be transferred from the first site to the second site. At least oneof the following may be performed: (i) the storage data is transferredusing the first link or (ii) the image of the virtual machine istransferred using the second link. The storage data may be transferredusing the first link and the image of the virtual machine may betransferred using the second link. Each of the first site and secondsite may include at least one storage array. The second site may belocated remotely from the first site across an asynchronous distance.The second site may be determined as a preferred site in event of a linkfailure between the first site and the second site. This determiningthat the second site is the preferred site may occur in response to adetermination that at least one additional failure will result in a lackof resources to maintain operation of the virtual machine. Thedetermination that the at least one additional failure will result in alack of resources to maintain operation of the virtual machine maytrigger the transferring of the storage data and the virtual machineimage to the second site.

According further to the system described herein, a non-transitorycomputer readable medium stores software for operating a virtual machineamong a first site and a second site of an active/active system. Thesoftware may include executable code that identifies a host cluster anda director cluster at each of the first site and the second site. Afirst link may be provided between the host cluster of the first siteand the host cluster of the second site. A second link may be providedbetween the director cluster of the first site and the director clusterof the second site, the first link being different than the second link.Executable code is provided that operates a virtual machine on the firstsite. Executable code may be provided that, while the virtual machine isoperating on the first site, transfers data corresponding to operationof the virtual machine from the first site to the second site.Executable code may be provided that transfers an image of the virtualmachine from the first site to the second site. At least one of thefollowing may be performed: (i) the storage data is transferred usingthe first link; or (ii) the image of the virtual machine is transferredusing the second link. The storage data may be transferred using thefirst link and the image of the virtual machine is transferred using thesecond link. Each of the first site and second site may include at leastone storage array. The second site may be located remotely from thefirst site across an asynchronous distance. Executable code may beprovided that determines that the second site is a preferred site inevent of a link failure between the first site and the second site. Theexecutable code that determines that the second site is the preferredsite may operate in response to a determination that at least oneadditional failure will result in a lack of resources to maintainoperation of the virtual machine. The determination that the at leastone additional failure will result in a lack of resources to maintainoperation of the virtual machine may trigger the transferring of thedata and the image to the second site.

According further to the system described herein, an active/activesystem may include a first site and a second site located remotely fromthe first site. Each of the first site and the second site may includeat least one host cluster, at least one director cluster, and at leastone storage array. A computer readable medium may be provided for thehost cluster and/or the director cluster that stores software. Thesoftware may include executable code that identifies a host cluster anda director cluster at each of the first site and the second site. Afirst link may be provided between the host cluster of the first siteand the host cluster of the second site. A second link may be providedbetween the director cluster of the first site and the director clusterof the second site, the first link being different than the second link.Executable code may be provided that operates a virtual machine on thefirst site. Executable code may be provided that, while the virtualmachine is operating on the first site, transfers data corresponding tooperation of the virtual machine from the first site to the second site.Executable code may be provided that transfers an image of the virtualmachine from the first site to the second site. At least one of thefollowing may be performed: (i) the storage data is transferred usingthe first link; or (ii) the image of the virtual machine is transferredusing the second link. The storage data may be transferred using thefirst link and the image of the virtual machine is transferred using thesecond link. Each of the first site and second site may include at leastone storage array. Executable code may be provided that determines thatthe second site is a preferred site in event of a link failure betweenthe first site and the second site. The executable code that determinesthat the second site is the preferred site may operate in response to adetermination that at least one additional failure will result in a lackof resources to maintain operation of the virtual machine. Thedetermination that the at least one additional failure will result in alack of resources to maintain operation of the virtual machine maytrigger the transferring of the data and the image to the second site.

According further to the system described herein, a method for providingprior operation states of a virtual machine in a storage system havingat least one storage array is provided. It may be determined that atrigger for taking a snapshot image of the virtual machine and asnapshot of a storage array state has occurred. The snapshot image ofthe virtual machine may be taken. The snapshot of the storage arraystate may be taken. The snapshot image of the virtual machine and thesnapshot of the storage array state may be made available for subsequentaccess to rollback the virtual machine and storage array state to aprior state. The trigger may include a determination that a failurecondition has occurred. The failure condition may be a state that atleast one additional failure will result in a lack of resources tomaintain operation of the virtual machine. The trigger may be initiatedby a user. The snapshot image of the virtual machine and the snapshot ofthe storage array state may correspond to a write order fidelityprocessing state. The write order fidelity processing state may, for aset of data being transmitted from a first site to a second site, be astate of the set of the data that is transmitted prior to the triggerand may include at least some data that is on the first site and thesecond site. The virtual machine and the storage array state may berolled back to a state corresponding to the snapshot image of thevirtual machine and the storage array state in response to a failure inthe system.

According further to the system described herein, a non-transitorycomputer readable medium stores software for providing prior operationstates of a virtual machine in a storage system having at least onestorage array. The software may include executable code that determinesthat a trigger for taking a snapshot image of the virtual machine and asnapshot of a storage array state has occurred. Executable code may beprovided that takes the snapshot image of the virtual machine.Executable code may be provided that takes the snapshot of the storagearray state. Executable code may be provided that makes the snapshotimage of the virtual machine and the snapshot of the storage array stateavailable for subsequent access to rollback the virtual machine andstorage array state to a prior state. The trigger may include adetermination that a failure condition has occurred. The failurecondition may be a state that at least one additional failure willresult in a lack of resources to maintain operation of the virtualmachine. The trigger may be initiated by a user. The snapshot image ofthe virtual machine and the snapshot of the storage array state maycorrespond to a write order fidelity processing state. The write orderfidelity processing state may, for a set of data being transmitted froma first site to a second site, be a state of the set of the data that istransmitted prior to the trigger and may include at least some data thatis on the first site and the second site. Executable code may beprovided that rolls back the virtual machine and the storage array stateto a state corresponding to the snapshot image of the virtual machineand the storage array state in response to a failure in the system.

According further to the system described herein, an active/activesystem may include a first site and a second site located remotely fromthe first site. Each of the first site and the second site may includeat least one host cluster, at least one director cluster, and at leastone storage array. A computer readable medium may be provided for thehost cluster and/or the director cluster that stores software. Thesoftware may include executable code that to determines that a triggerfor taking a snapshot image of the virtual machine and a snapshot of astorage array state has occurred. Executable code may be provided thattakes the snapshot image of the virtual machine. Executable code may beprovided that takes the snapshot of the storage array state. Executablecode may be provided that makes the snapshot image of the virtualmachine and the snapshot of the storage array state available forsubsequent access to rollback the virtual machine and storage arraystate to a prior state. The trigger may include a determination that afailure condition has occurred. The failure condition may be a statethat at least one additional failure will result in a lack of resourcesto maintain operation of the virtual machine. The snapshot image of thevirtual machine and the snapshot of the storage array state maycorrespond to a write order fidelity processing state. The write orderfidelity processing state may, for a set of data being transmitted froma first site to a second site, be a state of the set of the data that istransmitted prior to the trigger and may include at least some data thatis on the first site and the second site. Executable code may beprovided that rolls back the virtual machine and the storage array stateto a state corresponding to the snapshot image of the virtual machineand the storage array state in response to a failure in the system.

According further to the system described herein, a method forresponding to a failure in an active/active system is provided. It maybe determined that a failure has occurred in connection with a firstsite and a second site. A winning site and a losing site may bedetermined from among the first site and the second site. It may bedetermined whether to perform at least one of: a push operation, a pulloperation or both to obtain or identify data from the losing site inorder to maintain I/O operations on the data at the winning site. Amessage may be sent to the losing site concerning the data. The messagemay depend on whether to perform the push operation, the pull operationor both. A response to the message may be received. For the pushoperation, the message may be an inquiry to the losing site about thedata. The response may be a first transmission that includestransferring ownership of clean data blocks to the winning site. Afterthe first transmission, a second transmission may transfer dirty datablocks and ownership of the dirty data blocks to the winning site. Forthe pull operation, the message may be a command to the losing siteconcerning dirty and clean data blocks. The response may depends onwhether the data blocks are dirty or clean and include: for clean datablocks, transferring ownership thereof to the winning site, and fordirty data blocks, transferring the dirty data blocks and ownershipthereof to the winning site. The second site may be located remotelyfrom the first site across an asynchronous distance.

According further to the system described herein, a non-transitorycomputer readable medium may include software for responding to afailure in an active/active system. The software may include executablecode that determines that a failure has occurred in connection with afirst site and a second site. Executable code may be provided thatdetermines a winning site and a losing site from among the first siteand the second site. Executable code may be provided that determineswhether to perform at least one of: a push operation, a pull operationor both to obtain or identify data from the losing site in order tomaintain I/O operations on the data at the winning site. Executable codemay be provided that sends a message to the losing site concerning thedata. The message may depend on whether to perform the push operation,the pull operation or both. Executable code may be provided thatreceives a response to the message. For the push operation, the messagemay be an inquiry to the losing site about the data. The response may bea first transmission that includes transferring ownership of clean datablocks to the winning site. After the first transmission, a secondtransmission may transfer dirty data blocks and ownership of the dirtydata blocks to the winning site. For the pull operation, the message maybe a command to the losing site concerning dirty and clean data blocks.The response may depend on whether the data blocks are dirty or cleanand include: for clean data blocks, transferring ownership thereof tothe winning site, and for dirty data blocks, transferring the dirty datablocks and ownership thereof to the winning site. The second site may belocated remotely from the first site across an asynchronous distance.

According further to the system described herein, an active/activesystem may include a first site and a second site located remotely fromthe first site. Each of the first site and the second site may includeat least one host cluster, at least one director cluster, and at leastone storage array. A computer readable medium may be provided for thehost cluster and/or the director cluster that stores software. Thesoftware may include executable code that determines that a failure hasoccurred in connection with a first site and a second site. Executablecode may be provided that determines a winning site and a losing sitefrom among the first site and the second site. Executable code may beprovided that determines whether to perform at least one of: a pushoperation, a pull operation or both to obtain or identify data from thelosing site in order to maintain I/O operations on the data at thewinning site. Executable code may be provided that sends a message tothe losing site concerning the data. The message may depend on whetherto perform the push operation, the pull operation or both. Executablecode may be provided that receives a response to the message. For thepush operation, the message may be an inquiry to the losing site aboutthe data. The response may be a first transmission that includestransferring ownership of clean data blocks to the winning site. Afterthe first transmission, a second transmission may transfer dirty datablocks and ownership of the dirty data blocks to the winning site. Forthe pull operation, the message may be a command to the losing siteconcerning dirty and clean data blocks. The response may depend onwhether the data blocks are dirty or clean and includes: for clean datablocks, transferring ownership thereof to the winning site, and fordirty data blocks, transferring the dirty data blocks and ownershipthereof to the winning site.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the system described herein are explained with referenceto the several figures of the drawings, which are briefly described asfollows.

FIG. 1 shows a network configuration of a distributed storage systemthat may be used in accordance with an embodiment of the systemdescribed herein.

FIG. 2 is a schematic illustration showing a system that includes aplurality of data centers in communication via a network that may beused in accordance with an embodiment of the system described herein.

FIG. 3 is a schematic illustration showing a distributed storage systemwith multiple sites according to an embodiment of the system describedherein.

FIG. 4 is a schematic illustration showing failure scenarios in adistributed storage system in accordance with various embodiments of thesystem described herein.

FIGS. 5 and 6 show alternative configurations of distributed storagesystems that may be used in accordance with embodiments of the systemdescribed herein.

FIG. 7 is a flow diagram showing a method for providing mobility of avirtual machine between a first site and a second site of anactive/active system according to an embodiment of the system describedherein.

FIG. 8A is a flow diagram showing a method for using the inter-clusterlink (director networks) between director clusters of multiple sites inan active/active system according to an embodiment of the systemdescribed herein.

FIG. 8B is a flow diagram showing a method for using the inter-clusterlink (host networks) between host clusters of multiple sites in anactive/active system according to an embodiment of the system describedherein.

FIG. 9 is a schematic illustration of a write order fidelity (WOF)pipeline and visualizes some details according to an embodiment of thesystem described herein.

FIG. 10 is a flow diagram showing a method of pulling data blockownership and data from the losing site to the winning site according toan embodiment of the system described herein.

FIG. 11 is a schematic illustration of a write order fidelity (WOF)pipeline and visualizes some details that may be used according to anembodiment of the system described herein.

FIG. 12 is a flow diagram showing a method for taking and usingsynchronized snapshots of the memory state (image) of a VM and thestorage state of a disk to provide a fail-over mechanism for highavailability.

FIG. 13 is a flow diagram showing processing following a failure in theactive/active system according to an embodiment of the system describedherein.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

FIG. 1 shows a network configuration of a distributed storage system 50that may be used in accordance with an embodiment of the systemdescribed herein. As shown, a plurality of host devices 10 (10 ₁ to 10_(N)) are communicably coupled with a plurality of directors 20 (20 ₁,20 ₂ to 20 _(N)). Each of the directors 20 may include a processor (CPU)component 22, such as a microprocessor or other intelligence module, acache component 24 (e.g., RAM cache), an instance of a distributed cachemanager 26 and/or other local storage and communication ports. (Ingeneral, “N” is used herein to indicate an indefinite plurality, so thatthe number “N” when referred to one component does not necessarily equalthe number “N” of a different component. For example, the number ofhosts 10 may or may not equal the number of directors 20 in FIG. 1.)Cache memory may be considered memory that is faster and more easilyaccessible by a processor than other non-cache memory used by a device.

Each of the hosts 10 may be communicably coupled to one or more ofdirectors 20 over one or more network connections 15, 16. It is notedthat host devices 10 may be operatively coupled with directors 20 overany of a number of connection schemes as required for the specificapplication and geographical location relative to each of the directors20, including, for example, a direct wired or wireless connection, anInternet connection, a local area network (LAN) type connection, a widearea network (WAN) type connection, a VLAN, a proprietary networkconnection, a Fibre channel (FC) network etc. Furthermore, hosts mayalso be coupled to one another via the networks 15, 16 and/oroperationally via a different network 5 and several of the hosts 10 maybe clustered together at one or more sites in which the sites aregeographically distant from one another. It is also noted that invarious embodiments the networks 15, 16 may be combined with the SANnetworks 30, 31.

Each of the directors 20 may also include, or be communicably coupledwith, one or more file systems, such as a virtual machine file system(VMFS), a new technology file system (NTFS) and/or other appropriatefile system, and may be communicably coupled with one or multiplestorage resources 40, 41, each including one or more disk drives and/orother storage volumes, over one or more storage area networks (SAN) 30,31, and/or other appropriate network, such as a LAN, WAN, etc. Thedirectors 20 may be located in close physical proximity to each other,and/or one or more may be remotely located, e.g., geographically remote,from other directors, as further discussed elsewhere herein. It ispossible for the SANs 30, 31 to be coupled together, and/or forembodiments of the system described herein to operate on the same SAN,as illustrated by a dashed line between the SAN 30 and the SAN 31. Eachof the directors 20 may also be able to intercommunicate with otherdirectors over a network 25, such as a public or private network, aperipheral component interconnected (PCI) bus, a Fibre Channel (FC)network, an Ethernet network and/or an InfiniB and network, among otherappropriate networks. In other embodiments, the directors may also beable to communicate over the SANs 30, 31 and/or over the networks 15,16. Several of the directors 20 may be clustered together at one or moresites and in which the sites are geographically distant from oneanother. The system described herein may be used in connection with avSphere and/or VPLEX product produced by VMware Inc. of Palo Alto,Calif. and EMC Corporation of Hopkinton, Mass., respectively. The systemdescribed herein may also be used in connection with an RDF storageproduct produced by EMC Corporation, such as a Symmetrix product.Although discussed and illustrated in connection with embodiment for adistributed storage system, the system described herein may generally beused in connection with any appropriate distributed processing system.

Each distributed cache manager 26 may be responsible for providingcoherence mechanisms for shared data across a distributed set ofdirectors. In general, the distributed cache manager 26 may include amodule with software executing on a processor or other intelligencemodule (e.g., ASIC) in a director. The distributed cache manager 26 maybe implemented in a single director or distributed across multipleintercommunicating directors. In certain aspects, each of the directors20 may be embodied as a controller device, or blade, communicablycoupled to one or more of the SANs 30, 31 that allows access to datastored on the storage networks. However, it may be appreciated that adirector may also be embodied as an intelligent fabric switch, a hubadapter and/or other appropriate network device and may also beimplemented as a virtual machine, as further discussed elsewhere herein.Because Locality Conscious Directory Migration (LCDM) is applicable todatabases, any suitable networked director may be configured to operateas an access node with distributed cache manager functionality. Forexample, a distributed cache manager may be run on one or more desktopcomputers and/or virtual machines with a network connection.

According to the system described herein, a distributed storage systemmay enable a storage device to be exported from multiple distributeddirectors, which may be either appliances or arrays, for example. Withan active/active storage system, hosts in different locations may havesimultaneous write access to mirrored exported storage device(s) througha local front-end thereof (i.e., a director). The distributed storagesystem may be responsible for providing globally consistent and coherentdata access. The system described herein may be used in connection withenabling the distributed storage system to meet consistency guaranteesand maximize data access even in response to failures that may causeinconsistent data within the distributed storage system.

Using virtualization software, one or more of the physical servers maybe subdivided into a plurality of virtual machines. A virtual machine(VM) is a software implementation of a machine that executes programslike a physical machine. Virtualization software allows multiple VMswith separate operating systems to run in isolation on the same physicalmachine. Each VM may have its own set of virtual hardware (e.g., RAM,CPU, MC, etc.) upon which an operating system and applications areloaded. The operating system may see a consistent, normalized set ofhardware regardless of the actual physical hardware components. The term“virtualization software” is used herein to generally refer to any andall software that supports the operation of one or more VMs. A number ofvirtualization software products exist, including the VMware productfamily provided by VMware, Inc. of Palo Alto, Calif. A benefit ofproviding VMs is the ability to host multiple, unrelated, clients in asingle physical server. The virtualization software may maintainseparation of each of the clients, and in which each of the clientsseparately access their own virtual server(s). Other virtualizationproducts that may be used in connection with the system described hereininclude Hyper-V by Microsoft Corporation of Redmond, Wash., publiclicense virtualization products and/or other appropriate virtualizationsoftware.

Configuring and deploying VMs is known in the field of computer science.For example, U.S. Pat. No. 7,577,722 to Khandekar, et al., entitled“Provisioning of Computer Systems Using Virtual Machines,” which isincorporated herein by reference, discloses techniques for configuringand deploying a VM according to user specifications. VMs may beprovisioned with respect to any appropriate resource, including, forexample, storage resources, CPU processing resources and/or memory.Operations of VMs may include using virtual machine images. A virtualmachine image is the image of the virtual machine as it resides in thehost's memory. A virtual machine image may be obtained for an operatingVM and transferred to another location where the VM continues executionfrom the state defined by the virtual machine image. In this way, thevirtual machine image may be a snapshot of an execution state of aprogram by a VM that may be moved between different locations andprocessing thereafter continued without interruption.

In a virtualization environment, a virtual center, that may be referredto as a vCenter, may provide a central point of control for managing,monitoring, provisioning and migrating virtual machines. Virtual centersmay operate to control virtual machines in data centers and inconnection with cloud computing including using both internal andexternal cloud infrastructures and hybrids thereof.

FIG. 2 is a schematic illustration showing a system 100 that includes afirst data center 102 in communication with a second data center 104 viaa network 106. Although the following embodiments are discussedprincipally in connection with data centers 102, 104 any number ofadditional data centers, represented as data centers 102′, 104′, may bealso be used in connection with the system described herein. Each of thedata centers 102, 104 may include a plurality of storage devices andprocessors (not shown in FIG. 2) for executing applications using aplurality of VMs. The VMs may be configured using any appropriate servervirtualization technology, such as that provided by VMware, Inc. of PaloAlto, Calif., including vSphere. VSphere is a suite of tools offeringthe ability to perform cloud computing utilizing enterprise-levelvirtualization products such as VMware's ESX and/or ESXi. VSphere allowsmultiple VMs to run on any ESX host. Other VM technology may be usedincluding any appropriate VM technology provided by other vendors.

The data centers 102, 104 may contain any number of processors andstorage devices that are configured to provide the functionalitydescribed herein. In an embodiment herein, the storage devices may beSymmetrix storage arrays provided by EMC Corporation of Hopkinton, Mass.Other appropriate types of storage devices and different types ofprocessing devices may also be used in connection with the systemdescribed herein. The data centers 102, 104 may be configured similarlyto each other or may be configured differently. The network 106 may beany network or similar mechanism allowing data communication between thedata centers 102, 104. In an embodiment herein, the network 106 may bethe Internet and/or any other appropriate network and each of the datacenters 102, 104 may be coupled thereto using any appropriate mechanism.In other embodiments, the network 106 may represent a direct connection(e.g., a physical connection) between the data centers 102, 104.

In various embodiments, VMs may be migrated from a source one of thedata centers 102, 104 to a destination one of the data centers 102, 104.VMs may be transferred from one data site to another, including VMmobility over geographical distances, for example, for reasons ofdisaster avoidance, load balancing and testing, among other reasons. Fora discussion of migrating VMs, reference is made to U.S. patentapplication Ser. No. 12/932,080 to Meiri et al., filed Feb. 17, 2011,entitled “VM Mobility Over Distance,” which is incorporated herein byreference and is assigned to the assignee of the present application. Aproduct, such as EMC's VPLEX Geo and/or VPLEX Global, may be used toenable the resources of disparate storage systems in geographicallydispersed data centers to be federated together and utilized as a singlepool of virtual storage. VPLEX Geo or Global provide for data mobility,availability and collaboration through active/active data over distancewith the ability to non-disruptively move many VMs.

FIG. 3 is a schematic illustration showing a distributed storage system200 having multiple sites according to an embodiment of the systemdescribed herein. Although illustrated with two sites, Site A 201 andSite B 202, the system described herein may also operate in connectionwith additional sites. Although components are specifically identifiedwith respect to Site A 201, Site B 202 (or any additional site) may alsoinclude the components discussed herein. The sites 201, 202 may includeone or more hosts grouped in host clusters 210 a,b, one or moredirectors grouped in director clusters 220 a,b, and disk arrays 240 a,b.Each host cluster 210 a,b and director cluster 220 a,b may each includesoftware and/or other controllers or interfaces to control or administeroperations in connection with described functions of the hosts anddirectors. In an embodiment, each host cluster 210 a,b may include ESXhosts in a vSphere cluster and director cluster 220 a,b may includedirectors in a VPLEX cluster. Front end networks 215 a,b may connectthrough host links to the host clusters 210 a,b and through front endlinks to the director clusters 220 a,b. One or more back end networks230 a,b may connect through back end links to the director clusters 220a,b and through array links to the disk arrays 240 a,b. In anembodiment, the front and back end networks may be Fibre Channelnetworks. The front end networks 215 a,b allow the hosts (or VMs runningtherein) to perform I/O operations with the host clusters 210 a,b, whilethe back end networks 230 a,b allow the directors of the directorclusters 220 a,b to perform I/O on the disk arrays 240 a,b. One or morehost networks 205, such as vSphere Ethernet networks, connect the ESXhosts in host clusters 210 a,b. One or more director networks 225connect the directors of the director clusters 220 a,b.

Various types of failures, including network failures within a cluster,may result in behaviors that are further discussed elsewhere herein. Itshould be noted that the host cluster 210 a,b (e.g., vSphere cluster)may be connected in such a way that VMs can keep their network (e.g.,IP, FC, IB) addresses when migrating between clusters (for example, bymeans of a vLan or an open vSwitch). In an embodiment, VPLEX Geo may beused and configured to expose one or more distributed volumes from bothVPLEX director clusters. A VMFS may be created on top of thesedistributed volumes allowing VMs that migrate between the sites to seethe same file system in either site. It is also noted that, asillustrated and according to various embodiments, each site 201, 202 mayinclude redundancies in hosts, directors and links therebetween. Itshould be noted that the active/active system described herein may alsobe used in active/passive functioning as appropriate or desired.

I/O access may be provided to distributed volumes in an active/activesystem with two sites separated by an asynchronous distance. Forasynchronous operation, a write operation to cluster at a remote sitemay be acknowledged as soon as a protection copy is made within thecluster. Sometime later the write data is synchronized to the remotesite. Similarly, writes to the remote site are later synchronized to acluster at the local site. Software or other controllers at the directorclusters, such as VPLEX, may present the same image of the data oneither cluster to provide a cache-coherent view of the data. In anembodiment, this may be achieved by fetching data that has not yet beenreplicated between a source and destination site (i.e. “dirty” data; ascompared with “clean” data which has been copied and is protected onmultiple sites) over the inter-cluster link on an as needed basis. Inthe background, the controller (VPLEX) may synchronize the oldest dirtydata between the clusters.

The above operations may work as long as the inter-cluster network isavailable. If the inter-cluster link fails, both clusters may containdirty data that is unknown by the respective remote clusters. As aconsequence of this failure, the director cluster may rollback the imageof the data to a write order consistent point. In other words, thedirector cluster may rollback the image of the data to a point where itknows the data that is available on both clusters, or to a time wherethe write data was exchanged between both sites. The director clustermay also guarantee rollback to an image of the disk or volume that iswrite order consistent, which means that if the data of a specific writeis available on the volume, all data of writes that were acknowledgedbefore (“preceded”) that write should be present too. Write orderconsistency is a feature that allows databases to recover by inspectingthe volume image. As noted elsewhere herein, known techniques mayprovide write order consistency by bucketing writes in what are calleddeltas and providing the consistency on a delta boundary basis (see,e.g. U.S. Pat. No. 7,475,207 to Bromling et al.).

Suspend/resume migration processing may involve suspending a VM in thesource site and resuming that VM in the destination site. Before thesuspended VM is resumed, all dirty data for the affected VMFS may besynchronized from the source VPLEX cluster to the destination VPLEXcluster, and the preference (i.e. “winner” site) for the distributedvolume may be changed from the source cluster to the destinationcluster. The preference attribute may be related to a VPLEX consistencygroup that contains one or more VMs. Hence, the VM may be in aconsistency group of its own or all VMs in a consistency group may bemigrated together. To know when the synchronization of VPLEX's dirtycache is finished, the customer may map the VMFS to a distributedvolume.

FIG. 4 is a schematic illustration showing failure scenarios, identifiedas 1-15, in a distributed storage system 200′ having multiple sites likethat of distributed storage system 200 according to various embodimentsof the system described herein. Table 1 shows the observed behaviors ofthe different failure scenarios, as schematically shown in FIG. 4, inconnection with suspending and resuming migrations of VMs according tovarious embodiments of the system described herein. The specificembodiments described in Table 1 are discussed in connection with theuse of VPLEX Geo clusters (director clusters 220 a,b) and vSphereclusters (host clusters 210 a,b). It is further noted that in connectionwith characterizing failure scenarios and identifying an appropriatesite as a winner site for continuing operations, a cluster witness nodemay be used. Reference is made, for example, to U.S. patent applicationSer. No. 12/930,121 to Ortenberg et al., filed Dec. 29, 2010, andentitled “Witness Facility for Distributed Storage System,” which isincorporated herein by reference, that providing examples of featuresand uses of a witness node in a distributed storage system in connectionwith determining failure conditions. It is noted that conditions and/oruser preferences may cause a site to be indicated a preferred site;however, in the event of certain failures, a winner site may be otherthan the preferred site and may cause re-selection of a preferred site.

TABLE 1 Scenario VPLEX Geo behavior vSphere behavior 1. Array failureVPLEX continues providing access to No change. the distributed volumeusing the remaining (remote) array. When access to the failed array isrestored or the array is replaced, the volume on the affected array willbe resynchronized automatically. 2a. Array link failure Directors useall available paths to No change. (redundant) an array. All directors inthe affected cluster lose one path to one array, but have one remainingpath to the array. 2b. Array link failure See scenario “1. Arrayfailure.” — (non-redundant) 3a. Back end Directors use all availablepaths to No change. network failure an array. All directors in theaffected (redundant) cluster lose one path to all local arrays, but oneredundant path between the local directors and the local arrays remains(through the redundant back end network). 3b. Back end All directorslose both paths to all No change. network failure local arrays. Hencethese directors (non-redundant) lose access to the local mirror legs oftheir distributed volumes. Reads to the affected volumes will be servedfrom the remote mirror legs. Writes to the affected volumes succeed onthe remote mirror leg and cause the local mirror legs to be marked out-of-date. No rebuilds will be started due to lack of array visibility.4a. Back end link Directors use all available paths to No change.failure (redundant) an array. One director loses one path to all localarrays present, but one path to these arrays remains. 4b. Back end linkOne director loses both paths to all No change. failure (non- localarrays. Hence this director loses redundant) access to the local mirrorlegs of its distributed volumes. Reads to the affected volumes will beserved from the remote mirror legs. Writes to the affected volumessucceed on the remote mirror leg and cause the local mirror legs to bemarked out- of-date, which will cause other directors to startrebuilding the distributed volumes (which will not succeed as long ashosts write to the distributed volumes through the affected director).5a. VPLEX director VPLEX protected the user data on The ESX hosts useall available paths failure (redundant) another director. Thisprotection to VPLEX. Under this scenario copy will be take the place ofthe multiple ESX hosts lost paths to one original copy in VPLEX's cachedirector, but one or more paths coherence protocol and will remain toone or more unaffected eventually be flushed to the back VPLEXdirectors. end array. 5b. VPLEX director See scenarios “7. VPLEX cluster— failure (non- failure.” redundant) 6a. VPLEX local Directors use allavailable paths to No change. communication link communicate to otherdirectors. failure (redundant) Under this scenario one director lost onepath to each other local director, but another path to each other localdirector remains. 6b. Local VPLEX The affected VPLEX director will be Nochange. communication link expelled, effectively removing the failure(non- export of the distributed volume redundant) from that director.6c. Local VPLEX A VPLEX director uses all available No change.communication paths to communicate to other network failure directors.All directors lost one path (redundant) to all other local directors,but one path to each other local director remains (through the redundantcommunication network). 6d. Local VPLEX VPLEX single: one director isVPLEX single: No change. communication expelled and the other keepsVPLEX dual and quad: All local VMs network failure running. go into PDL.VMs have to be (non-redundant) VPLEX dual and quad: the VPLEX restartedmanually on the surviving local site is expelled. cluster. 7a.Non-preferred The cluster witness tells the VMs and ESX hosts talking tothe VPLEX cluster failure preferred cluster to proceed serving failed,non-preferred cluster see all observed by the I/O. Once the failedcluster comes paths to the VPLEX array disappear cluster witness backonline all distributed volumes (All Paths Down). vSphere host will beresynchronized. adapter (HA) does not restart VMs across geography soall these VMs are unavailable until the failed, non- preferred VPLEXcluster comes back online or the user moves the VMs to the surviving,preferred VPLEX cluster manually. 7b. Non-preferred The preferredcluster proceeds VMs and ESX hosts talking to the VPLEX cluster failureserving I/O. Once the failed, non- failed, non-preferred VPLEX clusternot observed by the preferred cluster comes back online see all paths tothe storage cluster witness all distributed volumes will be disappear(All Paths Down). vSphere resynchronized. HA does not restart VMs acrossgeography so all these VMs are unavailable until the failed, non-preferred VPLEX cluster comes back online or the user moves the VMs tothe surviving, preferred VPLEX cluster manually. 7c. Preferred VPLEXCluster witness overrules the VMs and ESX hosts talking to the clusterfailure preference and tells the non- failed, preferred cluster see allpaths observed by the preferred cluster to proceed serving to thestorage disappear (All Paths cluster witness I/O. Once the cluster comesback Down or APD in vSphere online all distributed volumes will beterminology). vSphere HA does not resynchronized. restart VMs acrossgeography so all these VMs are unavailable until the failed, preferredVPLEX cluster comes back online or the user moves the VMs to thesurviving, non- preferred VPLEX cluster manually. 7d. Preferred VPLEXThe non-preferred cluster stops All VMs and ESX hosts see all pathscluster failure not serving I/O. Once the failed, to the VPLEX arraydisappear (All observed by the preferred cluster comes back online PathsDown or APD in vSphere cluster witness I/O will proceed on bothclusters. terminology). 8a. Front end link No change. ESX hosts use allavailable paths to failure (redundant) the VPLEX array. All ESX hostslose one path to one director, but one or more paths remain to the VPLEXarray. 8b. Front end link No change. ESX hosts use all available pathsto failure (non- the VPLEX array. All ESX hosts lose redundant) bothpaths to one director, but two paths remain to one or more unaffecteddirectors. 9a. Front end No change. ESX hosts use all available paths tonetwork failure the VPLEX array. All ESX hosts and (redundant) all VPLEXdirectors attached to this back end network lost one or more paths, butother paths remain (through the redundant front end network). 9b. Frontend No change. All ESX hosts in one cluster lose all network failurepaths to the local VPLEX array. (non-redundant) Depending on the VM'soperating system and whether disk I/O is happening, the VM fails orwaits for the front end network to return. Failed VMs have to berestarted. 10a. Host link failure No change. ESX hosts use all availablepaths to (redundant) the VPLEX array. One ESX host loses one path, butone path remains to the VPLEX array. 10b. Host link failure No change.One ESX host loses both paths to the (non-redundant) VPLEX array,resulting in a Persistent Device Loss for all volumes. vSphere HA willrestart all affected VMs on another ESX host in the same cluster. 11a.ESX host failure No change. vSphere HA restarts the VMs that (redundant)were running on the failed ESX host on a redundant ESX host. 11b. ESXhost failure See scenario “12. vSphere Cluster — (non-redundant)failure.” 11c. VM failure No change. vSphere HA restarts the failed VMon any ESX host in the same cluster. 12. vSphere Cluster No change.Failed VMs have to be restarted failure manually. 13a. Inter-site VPLEXVPLEX sites use all available paths to No change. communicationcommunicate to each other. Under network failure this scenario oneinter-site (redundant) communication network remains. 13b. Inter-siteVPLEX Preferred cluster: No change. Preferred cluster: No change.communication Non-preferred cluster: Directors in Non-preferred cluster:No change, network failure the non-preferred site suspend I/O. becauseall VMs are running in the (non-redundant) preferred site. duringregular operation 13c. Inter-site VPLEX Preferred or source cluster: NoPreferred or source cluster: The VMs communication change that aremigrating have to be network failure Non-preferred or destinationcluster: restarted manually. The VMs that (non-redundant) Directors inthe non-preferred or were running in the preferred site during amigration destination site suspend I/O. keep running. Non-preferred ordestination cluster: No change because all VMs are running in thepreferred or source site. 13d. Inter-site VPLEX Preferred (or formerlydestination) Preferred (or formerly destination) communication cluster:No change. cluster: No change. network failure Non-preferred (orformerly source) Non-preferred (or formerly source) (non-redundant)cluster: Directors in the non- cluster: No change, because all VMsshortly after a preferred or source site suspend I/O. are running in thepreferred site. migration 14a. Inter-cluster No change. All ESX hostscan still see each other vSphere network over the redundantinter-cluster failure (redundant) vSphere network. 14b. Inter-cluster Nochange. ESX hosts in different clusters can no vSphere network longersee each other. VMs remain failure (non- running and can only bevMotioned redundant) to ESX hosts within their current cluster. 15a.Inter-site VPLEX Preferred cluster: No change. Preferred cluster: Nochange. communication Non-preferred cluster: Directors in Non-preferredcluster: No change, network failure the non-preferred cluster suspendbecause all VMs are running in the (non-redundant) I/O. preferredcluster. plus inter-cluster vSphere network failure (non- redundant)during regular operation 15b. Inter-site VPLEX Preferred or sourcecluster: No Preferred or source cluster: The VMs communication change.that are migrating have to be network failure Non-preferred ordestination cluster: restarted in the source cluster (non-redundant)Directors in the non-preferred or because the migration fails. The VMsplus inter-cluster destination cluster suspend I/O. that were running inthe preferred vSphere network cluster keep running. failure (non-Non-preferred or destination cluster: redundant) during a No changebecause no VMs are yet migration running in this cluster. 15c.Inter-site VPLEX Preferred (or formerly destination) Preferred (orformerly destination) communication cluster: No change. cluster: Nochange. network failure Non-preferred (or formerly source) Non-preferred(or formerly source) (non-redundant) cluster: Directors in the non-cluster: No change, because no VMs plus inter-cluster preferred orsource cluster suspend are running in this cluster anymore. vSpherenetwork I/O. failure (non- redundant) shortly after a migration

Failures may also occur when a VM is migrated while performing I/Ooperations. The migration of a VM during I/O operations may be referredto herein as “vMotion” and may be facilitated by a VMware product calledvMotion. In a director network failure situation during VM migration,both the source cluster directors and the destination cluster directorsmay contain dirty data. A similar problem may occur when multiple VMshave to be migrated together because they all access one VMFS volume. Inan embodiment, this problem could be alleviated by suspending therestart of the VM on the destination cluster until the director cluster(e.g., VPLEX cluster) cache has been synchronized; however, suchoperation may cause undesirable delays.

In various embodiments, many of the failure scenarios for VM migrationmay result in the same behavior as for that of suspend/resume migrationfailure behavior results. Table 2 describes the failure scenarios wherethe VM migration (e.g., vMotion) results in different behaviors ascompared with the suspend/resume migration processing of Table 1. Notethat in Table 2, the identified scenarios from Table 1 are split in two:one for the case where dirty data is on the non-preferred cluster andone where dirty data is not on the non-preferred cluster.

TABLE 2 Scenario VPLEX Geo behavior vSphere behavior 13A. Inter-sitePreferred cluster: Directors in the Preferred cluster: No change. VPLEXpreferred cluster keep serving I/O. Non-preferred cluster: VMs can nocommunication Non-preferred cluster: Directors in longer access theVPLEX array. They network failure the non-preferred cluster stop canwait for the storage to return or (non-redundant) serving I/O until theinter-site VPLEX they can be restarted manually at during regularcommunication network returns. the preferred cluster. operation withoutdirty data in the non-preferred cluster 13B. Inter-site VPLEX Preferredcluster: Directors in the Preferred cluster: ESX hosts and VMscommunication preferred cluster discard some should be restarted to findout what network failure recently written data (to directors in data isdiscarded by the VPLEX array. (non-redundant) either cluster). VPLEXrolls back to a Non-preferred cluster: VMs can no during regularwrite-order consistent volume image longer access storage. They willhave operation with dirty and suspends I/O. The user resumes to berestarted manually on either data in the non- I/O after restarting allESX hosts and the preferred cluster or the non- preferred cluster VMspresent in the preferred cluster preferred cluster. ESX hosts need to byissuing the “resume-after- be restarted. rollback <consistency group>”command. Non-preferred cluster: Directors in the non-preferred clustersuspend I/O until the inter-site communication network returns and theuser resumes I/O to indicate that all ESX hosts and remaining VMs arerestarted. Writes to distributed volumes on the directors in thepreferred cluster after the inter-site communication failure happened,are present on the directors in the non-preferred cluster. 13C.Inter-site VPLEX Same VPLEX Geo behaviors as in Same vSphere behaviorsas in communication scenario “13A. Inter-site VPLEX scenario “13A.Inter-site VPLEX network failure communication network failure (non-communication network failure (non- (non-redundant) redundant) duringregular operation redundant) during regular operation during vMotionwithout dirty data in the non- without dirty data in the non- withoutdirty data in preferred cluster.” preferred cluster.” the non-preferredVMs of failed vMotions have to be cluster restarted manually. 13D.Inter-site VPLEX Same VPLEX Geo behaviors as in Same vSphere behaviorsas in communication scenario “13B. Inter-site VPLEX scenario “13B.Inter-site VPLEX network failure communication network failure (non-communication network failure (non- (non-redundant) redundant) duringregular operation redundant) during regular operation during vMotionwith with data in the non-preferred.” with dirty data in thenon-preferred dirty data in the cluster.” non-preferred VMs of failedvMotions have to be cluster restarted manually. 13E. Inter-site VPLEXSame VPLEX Geo behaviors as in Same vSphere behaviors as incommunication scenario “13A. Inter-site VPLEX scenario “13A. Inter-siteVPLEX network failure communication network failure (non- communicationnetwork failure (non- (non-redundant) redundant) during regularoperation redundant) during regular operation shortly after withoutdirty data in the non- without dirty data in the non- vMotion withoutpreferred cluster.” preferred cluster.” dirty data in the The justvMotioned VMs have to be non-preferred restarted manually. cluster 13F.Inter-site VPLEX Same VPLEX Geo behaviors as in Same vSphere behaviorsas in communication scenario “13B. Inter-site VPLEX scenario “13B.Inter-site VPLEX network failure communication network failure (non-communication network failure (non- (non-redundant) redundant) duringregular operation redundant) during regular operation shortly after withdirty data in the non-preferred with dirty data in the non-preferredvMotion with dirty cluster.” cluster.” date in the non- The justvMotioned VMs have to be preferred cluster restarted manually. 15A.Inter-site VPLEX Same VPLEX Geo behaviors as in Same vSphere behaviorsas in communication scenario “13A. Inter-site VPLEX scenario “13A. VPLEXinter-site network failure communication network failure (non-communication network failure (non- (non-redundant) redundant) duringregular operation redundant) during regular operation plus inter-clusterwithout dirty data in the non- without dirty data in the non- v5pherenetwork preferred cluster.” preferred cluster.” failure (non- vMotionbetween the vSphere redundant) during clusters is not possible until theregular operation inter-cluster vSphere network without dirty data inreturns. both VPLEX clusters 15B. Inter-site VPLEX Same VPLEX Geobehaviors as in Same vSphere behaviors as in communication scenario“13B. Inter-site VPLEX scenario “13B. Inter-site VPLEX network failurecommunication network failure (non- communication network failure (non-(non-redundant) redundant) during regular operation redundant) duringregular operation plus inter-cluster with dirty data in thenon-preferred with dirty data in the non-preferred v5phere networkcluster.” cluster.” failure (non- vMotion between the vSphere redundant)during clusters is not possible until the regular operationinter-cluster vSphere network with dirty data in returns. both VPLEXclusters 15C. Inter-site VPLEX Same VPLEX Geo behaviors as in SamevSphere behaviors as in communication scenario “13A. Inter-site VPLEXscenario “13A. Inter-site VPLEX network failure communication networkfailure (non- communication network failure (non- (non-redundant)redundant) during regular operation redundant) during regular operationplus inter-cluster without dirty data in the non- without dirty data inthe non- vSphere network preferred cluster.” preferred cluster.” failure(non- vMotion between the vSphere redundant) during clusters is notpossible until the vMotion without inter-cluster vSphere network dirtydata in the returns. VMs of failed vMotions non-preferred VPLEX need tobe restarted manually. cluster 15D. Inter-site VPLEX Same VPLEX Geobehaviors as in Same vSphere behaviors as in communication scenario“13B. Inter-site VPLEX scenario “13B. Inter-site VPLEX network failurecommunication network failure (non- communication network failure (non-(non-redundant) redundant) during regular operation redundant) duringregular operation plus inter-cluster with dirty data in thenon-preferred with dirty data in the non-preferred vSphere networkcluster.” cluster.” failure (non- vMotion between the vSphere redundant)during clusters is not possible until the vMotion with dirtyinter-cluster vSphere network data in the non- returns. VMs of failedvMotions preferred VPLEX need to be restarted manually. cluster 15E.Inter-site VPLEX Same VPLEX Geo behaviors as in Same vSphere behaviorsas in communication scenario “13A. Inter-site VPLEX scenario “13A. VPLEXinter-site network failure communication network failure (non-communication network failure (non- (non-redundant) redundant) duringregular operation redundant) during regular operation plus inter-clusterwithout dirty data in the non- without dirty data in the non- vSpherenetwork preferred cluster.” preferred cluster.” failure (non- vMotionbetween the vSphere redundant) shortly clusters is not possible untilthe after vMotion inter-cluster vSphere network without dirty data inreturns. Just vMotioned VMs need the non-preferred to be restartedmanually. VPLEX cluster 15F. Inter-site VPLEX Same VPLEX Geo behaviorsas in Same vSphere behaviors as in communication scenario “13B.Inter-site VPLEX scenario “13B. VPLEX inter-site network failurecommunication network failure (non- communication network failure (non-(non-redundant) redundant) during regular operation redundant) duringregular operation plus inter-cluster with dirty data in thenon-preferred with dirty data in the non-preferred vSphere networkcluster.” cluster.” failure (non- vMotion between the vSphere redundant)shortly clusters is not possible until the after vMotion withinter-cluster vSphere network dirty data in the returns. Just vMotionedVMs need non-preferred VPLEX to be restarted manually. cluster

FIGS. 5 and 6 show alternative configurations for distributed storagesystems that may be used in accordance with embodiments of the systemdescribed herein. In FIG. 5, a distributed storage system 200″ is shownthat includes a host cluster 210′ as a distributed processing layeroperating across the multiple sites 201, 202 and otherwise havingelements like that discussed elsewhere herein. In FIG. 6, a distributedstorage system 200′″ is shown in which the front end networks 215′ areshown operating as an external network accessed by each of the sites201, 202 and otherwise having elements like that discussed elsewhereherein.

Once a director cluster (e.g., VPLEX Geo) has a vulnerability where oneadditional failure (or a limited number of additional failures) wouldresult in Data Unavailability (DU) in a site according to the systemdescribed herein, it may start taking proactive measures to prevent thisDU from happening. In other words, the system may transition towards anactive/passive model. This may involve determining which site is a lessvulnerable or otherwise preferred site in the event of the failure.Thereafter, the system may migrate all VMs to the less vulnerable(preferred) site (away from the more vulnerable site). If both sites arevulnerable to the same degree, the VMs are migrated to the customer'sindicated preferred site. The director cluster (VPLEX) may initiatethese migrations by specifying a “must” preference through an interfaceto a vCenter. According to various embodiments, a must preference fromVPLEX to vSphere indicates on what ESX hosts VMs must be running inorder to have and retain access to a specific virtual volume. A mustpreference from vSphere to VPLEX indicates on what directors a virtualvolume must survive in order for VMs to have and retain access to it.Contrast this to a “should” preference for where the winning clusterscontains the same volume image as the losing or stopped cluster. Ashould preference from VPLEX to vSphere indicates on what ESX hosts VMsshould ideally be (this is a useful preference for VPLEX Metro). Ashould preference from vSphere to VPLEX indicates on what directors avirtual volume should ideally survive. The migrating of VMs to the sitewith access to its array improves I/O performance.

In embodiments like that discussed above, VPLEX Geo or Global, incombination with vSphere, may proactively migrate VMs to ensure that oneadditional failure (or a limited number of additional failures) will notcause a DU. Of course if the additional failure happens before the VMsare all moved the DU can still be encountered. Once vSphere has avulnerability where one additional failure (or a limited number ofadditional failures) results in lack of resources to run all VMs in onesite or to move all VMs to one site, it should notify VPLEX about itsshortcomings. This may result in overruling the customer's indicatedpreferred site. Depending on the nature of the resource problem a shouldor must preference is given. Ideally, a should preference may be usedwhen all VMs can run on one site but some resources become overcommittedbased on limits in vSphere's resource allocations. A must preference maybe used when VMs can no longer run on one site because of Reservationsspecified in vSphere's Resource Allocation. A must preference may alsobe used when the vSphere inter-cluster link becomes vulnerable.

In another embodiment, when both clusters contain dirty cache data, thedirector clusters 220 a,b may discard some of the last writes in orderfor the customer to carry on operations. As further discussed elsewhereherein, the director clusters 220 a,b may rollback the volume image to awrite order consistent image, which means that an image from some priorpoint in time will be restored.

According to various embodiment of the system described herein, it maybe advantageous to avoid occurrences of VM image rollback, particular inconnection with addressing a situation where a last independentinter-cluster link fails during or shortly after a VM migration andcauses not all data to be available on the cluster that is the target ofthe VM migration.

In an embodiment, the system described herein may provide for avoidingrollback of the distributed volume by writing to the distributed volumefrom only one cluster. By making sure that all the VMs that areaccessing a certain file system, such as VMFS, vSphere, and/or NTFS forHyper-V, on a distributed volume are in the cluster of the preferredsite, it may not be necessary to rollback an image when a link failureoccurs. This does mean that the system is used in an active/passivefashion on a cluster level. All VMs accessing the same distributedvolume may have to be migrated together by suspending all the VMs on thesource ESX host cluster, synchronizing the dirty blocks from the sourcedirector cluster to the destination director cluster, moving the clusterpreference to the destination cluster, and resuming all the VMs on thedestination ESX host cluster.

The following discusses a specific embodiment for avoiding rollbackaccording to the system described herein for failure conditions likethat discussed above. In the event of an expected link failure or acondition that results in a determination that link failure between asource site and the destination site is more likely, at the moment thatthe host cluster (e.g., a vSphere cluster) decides to start a VMmigration to another site (e.g., which site may be the “winner” orpreferred site in the event of a failure condition), it indicates thisto the director cluster (e.g., a VPLEX cluster) at the source site byissuing an asynchronous SYNCHRONIZE CACHE command to the affectedlogical units of the director cluster at the source site. The hostcluster, either at the source site or as a distributed layer, may startpushing memory pages to the destination ESX host. The director clusterat the source site may start pushing storage data (e.g., in one or moredata blocks) for the volume groups containing the affected logical unitsto the destination cluster.

Once the host cluster has pushed enough pages over to enable the hostcluster to suspend the VM on the source ESX host, the host cluster mayissue a synchronous SYNCHRONIZE CACHE command to the affected logicalunits of the director cluster at the source site. The host cluster thenpushes the remaining memory pages to the destination ESX host, and thedirector cluster at the source site pushes the remaining storage data tothe destination director cluster. Once the director cluster at thesource site finishes, the director cluster then completes the second(synchronous) SYNCHRONIZE CACHE command. Once the host cluster sees thatboth the memory pages and the storage data are available to thedestination ESX host, the host cluster resumes the VM on the destinationhost. If the director cluster somehow takes too long before it respondsto the synchronous SYNCHRONIZE CACHE command (in other words it takestoo long pushing the remaining storage data to the destination cluster),the VM can be resumed on the source ESX host and the process can berestarted at an appropriate one of the above-noted steps.

Therefore, in accordance with the system described herein, theabove-noted embodiment provides for synchronizing data between a sourceand destination site during a migration operation by moving dirty datafrom a source site to a destination site along with a VM that wasrunning at the source site and then resuming the operation of the VM onthe destination site.

FIG. 7 is a flow diagram 300 showing a method for providing mobility ofa VM between a source site, such as site A 201, and a destination site,such as site B 202, of an active/active system according to anembodiment of the system described herein. At a step 302, for a VMoperating on the source site, a determination is performed to identifythe destination site that may be, for example, a preferred site and/or awinner site. Determining the destination site may occur in response to adetermination that at least one additional failure will result in a lackof resources to maintain desired operation of the VM on the source site.After the step 302, processing proceeds to a step 304 where, while theVM is operating on the source site, an amount of storage data istransferred from the source site to the destination site. After the step304, processing proceeds to a step 306 where at least a portion of theVM image is transferred to the destination site. In various embodiments,the steps 304 and 306 may be performed in a different order than shownand/or may be performed concurrently.

After the step 306, processing may proceed to a test step 308 where itis determined if a link failure has occurred between the source site andthe destination site. As further discussed elsewhere herein, failureconditions may be determined using a witness node, for example. If it isdetermined at the test step 308 that a link failure has occurred, thenprocessing proceeds to a step 330 where the transfer processing to thedestination site is stopped and the VM is to be kept at the source site.After the step 330, processing is complete.

If it is determined that a link failure has not occurred at the teststep 308, then processing proceeds to another test step 310 where it isdetermined whether a sufficient amount of storage data and/or memory ofthe VM (VM image) has been transferred to the destination site. Invarious embodiments, a sufficient amount of storage data and/or VM imageinformation may be determined according to one or more thresholds. Forexample, a threshold may be whether 90% of the storage data and/or theVM image has been transferred. In this way, since the VM continues tooperate on the source site during this part of the process, changes tostorage data and/or the VM image while the VM is operating in the sourcesite may affect the determinations of the amount of current storage dataand/or the VM image that has been transferred. The threshold may beconfigured to establish that at a particular point in time, given theamount of storage data and VM image information transferred, it isappropriate to proceed with processing to suspend and resume the VM onthe destination site, as further discussed herein.

Accordingly, if, at the test step 310, it is determined that sufficientamounts of the storage data and/or VM image have not been transferred,then processing proceeds back to the step 304. Otherwise, if it isdetermined that a sufficient amount has been transferred at the teststep 310 according to the threshold(s), then processing proceeds to astep 312 where operation of the VM is suspended on the source site.After the step 312, processing proceeds to a step 314 where a remainderamount of the storage data, that is remaining on the source site andthat had not been transferred in the prior steps, is transferred fromthe source site to the destination site. After the step 314, processingproceeds to a step 316 where an a remainder amount of the VM imageinformation, that is remaining on the source site and that had not beentransferred in the prior steps, is transferred from the source site tothe destination site. Like that of steps 304 and 306, in variousembodiments, the steps 314 and 316 may be performed in an order otherthan that shown and/or may be performed concurrently.

After the step 316, processing proceeds to a step 318 where it is againdetermined if a link failure has occurred between the source site andthe destination site. If it is determined at the test step 318 that alink failure has occurred, then processing proceeds to the step 330where the transfer processing to the destination site is stopped and theVM is to be kept at the source site. After the step 330, processing iscomplete.

If it is determined that a link failure has not occurred at the teststep 318, then processing proceeds to another test step 320 wheretransfer of the storage data and VM image to the destination site iscompleted. That is, for example, completion of data and VM imagetransfer may be when 100% of the storage data and VM image have beentransferred. If not, then processing proceeds back to the step 314. Ifthe transfer to the destination site is determined to be completed atthe test step 320, then processing proceeds to a step 322 where the VMis resumed on the destination site according to the transferred storagedata and the transferred VM image. After the step 322, processing iscomplete.

In various embodiments, the above-noted processing may also includeprovisions for error processing in which it is determined thatprocessing, such as transferring of storage data and/or the VM image,may not be performed and/or may not be desirable to perform. Forexample, a system may include mechanisms for factoring in loaddetermination processing such that a determination that load on anetwork is high may cause cancellation of the VM transfer even where alink failure has not occurred. Similarly, the error processing may beperformed in connection with exceeding a time threshold where an attemptto transfer storage data and/or the VM image has timed out over anetwork. It is also noted that the above-noted method, and other methodsdiscussed herein, may be performed using executable code stored on anon-transitory computer readable medium that is executed by one or moreprocessors and is performed in connection with a system havingcomponents like that further discussed elsewhere herein.

Another alternative embodiment of the system described herein is to makeESX hosts aware of the changed volume state by rebooting them so theypick up the current state. This assumes that ESX hosts do not forwardinformation about their state to vCenter or other ESX hosts. All ESXhosts that may have state about volumes that have rolled back can be putin maintenance mode. The ESX host may not have to access the volume tostore its updated state, because such access would risk corrupting theVMFS. By parking an ESX host in maintenance mode, all VMs that are nottalking to the rolled back storage may be migrated to other ESX hosts.Once no VMs are remaining on the ESX host, it can be rebooted and pickup the new, rolled back state of the volume.

According to another embodiment of the system described herein, thesystem may control rollback of a volume, or portion thereof, in adifferent way. For example, the system may only rollback the state ofthe volume to a write order consistent image on the remote cluster. Forexample, a winning site may contain all local writes and only the remotewrites that have been synchronized locally in a write order consistentway. This would result in a volume image that is not globallyconsistent, and it is noted that some applications may not be able todeal with this alternate rollback state.

According to another embodiment, the system described herein may providefor the use of the inter-cluster links between the host clusters (hostnetworks 205) and the inter-cluster link between the director clusters(director networks 225) of multiple sites to be used to help migrate aVM. Such operation may be used to increase bandwidth of the host clusterenough that it is able to migrate over longer distances. Accordingly,instead, or in addition to, the transferring of a VM image using thehost networks 205 and the storage data using the director networks 225,the host networks 205 may be used to transfer storage data and/or thedirector networks 225 may be used to transfer VM images. For example, inan embodiment, either the VM image and/or the storage data may betransferred over the director networks 225 between the director clustersin connection with a VM migration operation. In another embodiment,either the VM image and/or the storage data may be transferred over thehost networks 205. It is further noted that in connection with thisoperation, a host cluster may perform writes of the VM's image to thesource director cluster at the source site and corresponding reads tothe destination director cluster at the destination site. Theabove-noted method may be performed in connection with a determinationof a failure of an inter-cluster link, with at least a last remaininginter-cluster link in operation. That is, even though one inter-clusterlink has failed, such as failure of host networks 205, migration of a VMmay be advantageously enhanced by using the remaining inter-clusterlink, such as director networks 225, to help with the migrating byincreasing the bandwidth of the host cluster, and vice versa.

FIG. 8A is a flow diagram 400 showing a method for using theinter-cluster link (director networks 225) between director clusters 220a,b of multiple sites 201, 202 in an active/active system according toan embodiment of the system described herein. At a step 402, operationof a VM is initiated, or otherwise maintained, on a source site (e.g.,site A 201). After the step 402, processing proceeds to a step 404 whereat least some storage data is transferred to the destination site (e.g.,site B 202) over the director networks 225. After the step 404,processing proceeds to a step 406 where at least a portion of a VM imageis transferred to the destination site over the director networks 225.In this embodiment, the portion of the VM image may be transferred overthe director networks to a shared memory (e.g. cache) location on thedestination site. After the step 406, processing proceeds to a step 408where a read of the VM image, that was transferred to the destinationsite, is received at the host cluster of the source site. After the step408, processing proceeds to a step 410 where a director of the sourcesite fetches the VM image from the shared memory location on thedestination site over the director networks 225 to service the readrequest. Accordingly, in this embodiment the VM image and storage datamay be transferred from a source site to a destination site using thedirector networks 225. It is further noted that the order of varioussteps described above may be different than that shown and/or may beperformed concurrently. After the step 410, processing is complete.

FIG. 8B is a flow diagram 450 showing a method for using theinter-cluster link (host networks 205) between host clusters 210 a,b ofmultiple sites 201, 202 in an active/active system according to anembodiment of the system described herein. At a step 452, operation of aVM is initiated, or otherwise maintained, on a source site (e.g., site A201). After the step 452, processing proceeds to a step 454 where atleast a portion of the VM image is transferred to the destination site(e.g., site B 202) over the host networks 205. After the step 454,processing proceeds to a step 456 where at least some storage data(dirty data) is read by a host at the source site (e.g., site A 201).After the step 456, processing proceeds to a step 458 where the host atthe source site sends the storage data to the destination site over thehost networks 205. After the step 458, processing proceeds to a step 460where a host at the destination site writes the storage data to thedestination site. Accordingly, in this embodiment the VM image andstorage data may be transferred from a source site to a destination siteusing the host networks 205. It is further noted that the order ofvarious steps described above may be different than that shown and/ormay be performed concurrently. After the step 460, processing iscomplete.

In various embodiments, the processing of FIGS. 8A and 8B may beperformed in various combinations with each other. That is, the VM imageand storage data may be transferred from a source site to a destinationsite using the host networks 205 and the director networks 225 in anyappropriate combination. For example, embodiments of the systemdescribed herein may be performed in combination with normal operationsusing the host networks 205 and the director networks 225, that is, inwhich storage data is transferred over the director networks 225 (see,e.g., step 402 of FIG. 8A) and/or a VM image is transferred over thehost networks 205 (see, e.g., step 452 of FIG. 8B), along with the useof the director networks 225 to transfer VM images and the use of thehost networks 205 to transfer storage data.

When the inter-cluster storage network fails, the symmetric view of thedata blocks may no longer be maintained over the inter-cluster storagenetwork. Generally, the storage application stops exporting a disk imageon one site. At this point, the inter-cluster computer network may stillbe available and may be utilized to synchronize the storage to thewinning site in accordance with the system described herein. This may bedone in two ways: (1) pushing disk block ownership and data from losingsite to winning site and/or (2) pulling disk block ownership and datafrom losing site to winning site.

FIG. 9 is a flow diagram 500 showing a method of pushing data blockownership and data from losing site to winning site in the event of adirector network failure according to an embodiment of the systemdescribed herein, and in which alternate networks, such as the hostnetworks, may be used. At a step 502, an application is started on oneof the computers to transfer ownership of data blocks to the winningsite. After the step 502, processing proceeds to a step 504 where theapplication queries the losing site for ownership of clean and dirtydata blocks. After the step 504, processing proceeds to a step 506 wherethe ownership of the clean data blocks is transferred to the winningsite from the losing site. After the step 506, processing proceeds to astep 508 where the dirty data blocks and the ownership of those blocksis transferred from the losing site to the winning site. In anembodiment, the ownership of dirty data blocks may only be transferredto the winning site after the dirty blocks are synchronized to thewinning site, thereby allowing the winning site director cluster toserve incoming I/Os for those blocks. It is noted that the above-notedprocessing may be done in-band and out-of-band. After the step 508,processing is complete.

FIG. 10 is a flow diagram 550 showing a method of pulling data blockownership and data from the losing site to the winning site according toan embodiment of the system described herein. Reads and writes to thewinning site may pull ownership and dirty data blocks from the losingsite on an as-needed basis. At a step 552, an application is started onone of the computers to transfer ownership and dirty data blocks to thewinning site when needed. At a step 554, the application issues acommand to the losing site that requests ownership of data blocks anddirty data that are the subject of the command. In an embodiment, thecommand may be issued in connection with transmission of an error code.After the step 554, processing proceeds to a test step 556 where it isdetermined whether the requested data blocks are all clean data. If allthe requested blocks are all clean data blocks, then processing proceedsto a step 558 where the application only receives the ownership of thedata blocks. After the step 558, processing proceeds to a step 560 wherethe application passes the ownership of the data blocks to the winningsite. The winning site can provide the clean data blocks after receivingthe ownership. After the step 560, processing is complete. If, at thetest step 556, it is determined that at least some of the requestedblocks are dirty, then processing proceeds to a step 562 where theapplication receives the dirty blocks and the ownership. After the step562, processing proceeds to a step 564 where the dirty blocks and theownership are passed to the winning site. After the winning sitereceives the ownership, it can start serving I/Os for these blocks andno longer needs to pass an error code back. After the step 564,processing is complete.

A combination of the methods of pushing and pulling disk storage dataand ownership is also possible according to various embodiments of thesystem described herein. For example, the combination of pushing thestorage block ownership of clean blocks and pulling the block ownershipand data of dirty blocks may be desirable.

According further to the system described herein, when the lastredundant resource of a cluster level vulnerability fails, one of theclusters will no longer serve I/O, either because the cluster failed orbecause cache coherence can no longer be guaranteed between theclusters. If all VMs made it in time to safety on the less vulnerable orpreferred site that is still serving I/O as set forth herein, then thesystem may continue operating in the manner provided. If not, however,three further options may be provided according to various embodimentsof the system described herein:

1. All VMs may be restarted from a Write Order Fidelity (WOF) consistentvirtual volume (e.g., from a couple of seconds ago). Due to the restart,the VMs may boot with an empty memory state.

2. All VMs may be restarted with an application consistent snapshot ofthe virtual volume. Periodic snapshot of the virtual volume may becreated to facilitate this approach.

3. All VMs may be resumed with a memory state and virtual volume statefrom a coordinated VM/disk snapshot. Periodic coordinated snapshots ofboth VM (with memory state) and virtual volume may be created tofacilitate this approach.

In case 1, all applications running in VMs should be able to detect whatwork is lost by studying the current state of the disk and carry on fromthat point. In case 2, all applications running in VMs may simply carryon without having to check the state of the disk. In cases 2 and 3, allapplications running in VMs may redo the work from the moment that thesnapshots were taken. Note that external transactions to the VMs thatoccurred since the snapshot may be lost.

FIG. 11 is a schematic illustration of a write order fidelity (WOF)pipeline 600 and visualizes some details that may be used according toan embodiment of the system described herein. Write order consistencymay be achieved by bucketing writes in “deltas” and providingconsistency on a delta boundary basis. Further details of WOF may befound in U.S. Pat. No. 7,475,207 to Bromling et al., which is referencedelsewhere herein. The WOF pipeline may include multiple deltas. Deltasmay have ids that are monotonically increasing, where older deltas havelower numbers. The figure shows deltas 2 through 6. The contents ofdelta 1 made it to the distributed volume as can be seen by “one” and“uno” being present on the disks 620. The director cluster may have anopen delta with id 6. Hosts 610 in each site are writing “six” on SiteA, and “seis” on Site B to the open delta. At some point the open deltacloses indicating that no new writes are accepted while outstandingwrites are finishing their data phase. The closing of the delta may becoordinated between all directors in both clusters. Once the last writefor the closing delta is finished the closing delta is closed and a newdelta (with id 7) is opened and new writes will be accepted into the newdelta. The blocks in closed deltas may be exchanged at a later time. Inthe figure, delta 4 is in the exchange phase as can be seen by “four”being exchanged to Site B and “cuatro” being exchanged to Site A. Once adelta is fully exchanged, the next available closed delta is exchanged.Sometime later, exchanged deltas are committed to disk. In the figure,the delta with id 2 is committing, as can be seen by both sites writing“two” and “dos” to their local leg of the distributed volume. Note thatboth legs of the distributed volume may be substantially identical(modulo currently committing deltas) even though some writes wereinitiated by hosts at Site A and others by hosts at Site B.

FIG. 12 is a flow diagram 700 showing a method for taking and usingsynchronized snapshots of the memory state (image) of a VM and thestorage state of a disk to provide a fail-over mechanism for highavailability. At a step 702, a determination is made to trigger thetaking and using of a synchronized VM image snapshot and storage statesnapshot of a disk. For example, in an embodiment, the triggeringdetermination may be made following a failure condition in which oneadditional failure may result in insufficient resources for operation ofthe VM on an active/active system, as further discussed elsewhereherein. In another embodiment, the triggering for taking the VM imagesnapshot and storage state snapshot may be caused by a user. After thestep 702, processing proceeds to a step 704 where the VM is suspendedsuch that a snapshot image of the VM may be obtained. After the step704, processing proceeds to a step 706 where I/O processing is suspendedsuch that a storage state snapshot may be obtained. Various techniquesmay be used in connection with suspending I/O processing. It is notedthat steps 704 and 706 may be reversed, as appropriate, and performed inparallel.

After the step 706, processing proceeds to a step 708 where a snapshotimage of the VM is taken when the VM is preparing to commit a write of adelta to a bucket in accordance with WOF pipeline processing as furtherdiscussed elsewhere herein. After the step 708, processing proceeds to astep 710 where a snapshot is taken of the storage state of a disk beingutilized to store data in connection with the WOF transfer processing.The VM image snapshot and the storage state snapshots are synchronizedand it is noted that the order of steps 708 and 710 may be reversed, asappropriate, and/or may be performed in parallel. After the step 710,processing proceeds to a step 712 where the VM is resumed. After thestep 712, processing proceeds to a step 714 where I/O processing isresumed. It is noted that the steps 712 and 714 may be reversed, asappropriate, or performed in parallel. After the step 714, processingproceeds to a step 716 where the VM image snapshot and storage statesnapshot are made available for subsequent access as further discussedelsewhere herein. After the step 716, processing is complete.

FIG. 13 is a flow diagram 750 showing processing following a failure inthe active/active system according to an embodiment of the systemdescribed herein. At a step 752, a determination is made that a failurehas occurred in the active/active system, such as a link failure betweenmultiple sites. After the step 752, processing proceeds to a step 754where a rollback determination is made to rollback the state of a VM anddisk array to a prior state. After the step 754, processing proceeds toa step 756 where the VM is suspended. After the step 756, processingproceeds to a step 758 where I/O processing is suspended. In variousembodiments, the order of steps 756 and 758 may be reversed, asappropriate, and/or performed in parallel. After the step 758,processing proceeds to a step 760, where the VM is rolled back to aprior state of operation in connection with the VM image snapshot. Afterthe step 760, processing proceeds to a step 762 where disk array isrolled back a prior storage state. Specifically, the VM and storagestate of the disk may be rolled back to a state corresponding to thesnapshots taken in connection with the flow diagram 700. In this way, aVM and disk state may be advantageously rolled back to an incrementaldelta state that avoids data loss by using one or more of theincremental delta snapshots taken during the WOF processing inconnection with the committing of write deltas to buckets according tothe system described herein. The incremental delta snapshot used for therollback may correspond to a time just prior to the failure thattriggered the rollback. It is noted that steps 760 and 762 may beperformed in a different order than that shown and/or may be performedconcurrently.

After the step 762, processing proceeds to a step 764 where the VM isresumed according to the rollback state snapshots. After the step 764,processing proceeds to a step 766 where I/O processing is resumed. Invarious embodiments, the order of steps 764 and 766 may be reversed, asappropriate, and/or performed in parallel. After the step 764,processing is complete.

Various embodiments discussed herein may be combined with each other inappropriate combinations in connection with the system described herein.Additionally, in some instances, the order of steps in the flowcharts,flow diagrams and/or described flow processing may be modified, whereappropriate. Further, various aspects of the system described herein maybe implemented using software, hardware, a combination of software andhardware and/or other computer-implemented modules or devices having thedescribed features and performing the described functions. Softwareimplementations of the system described herein may include executablecode that is stored in a computer readable medium and executed by one ormore processors. The computer readable medium may include a computerhard drive, ROM, RAM, flash memory, portable computer storage media suchas a CD-ROM, a DVD-ROM, a flash drive and/or other drive with, forexample, a universal serial bus (USB) interface, and/or any otherappropriate tangible or non-transitory computer readable medium orcomputer memory on which executable code may be stored and executed by aprocessor. The system described herein may be used in connection withany appropriate operating system.

Other embodiments of the invention will be apparent to those skilled inthe art from a consideration of the specification or practice of theinvention disclosed herein. It is intended that the specification andexamples be considered as exemplary only, with the true scope and spiritof the invention being indicated by the following claims.

What is claimed is:
 1. A method for providing prior operation states ofa virtual machine in a storage system having at least one storage array,comprising: determining that a trigger for taking a snapshot image ofthe virtual machine and a snapshot of a storage array state hasoccurred, wherein the trigger includes a determination that a failurecondition has occurred, and wherein the failure condition is a statethat at least one additional failure will result in a lack of resourcesto maintain operation of the virtual machine; taking the snapshot imageof the virtual machine; taking the snapshot of the storage array state;making the snapshot image of the virtual machine and the snapshot of thestorage array state available for subsequent access to rollback thevirtual machine and storage array state to a prior state.
 2. The methodaccording to claim 1, further comprising: rolling back the virtualmachine and the storage array state to a state corresponding to thesnapshot image of the virtual machine and the storage array state inresponse to a failure in the system.
 3. A method for providing prioroperation states of a virtual machine in a storage system having atleast one storage array, comprising: determining that a trigger fortaking a snapshot image of the virtual machine and a snapshot of astorage array state has occurred; taking the snapshot image of thevirtual machine; taking the snapshot of the storage array state; makingthe snapshot image of the virtual machine and the snapshot of thestorage array state available for subsequent access to rollback thevirtual machine and storage array state to a prior state, wherein thesnapshot image of the virtual machine and the snapshot of the storagearray state correspond to a write order fidelity processing state. 4.The method according to claim 3, wherein the trigger is initiated by auser.
 5. The method according to claim 3, wherein the write orderfidelity processing state is, for a set of data being transmitted from afirst site to a second site, a state of the set of the data that istransmitted prior to the trigger and that includes at least some datathat is on the first site and the second site.
 6. The method accordingto claim 3, wherein the trigger includes a determination that a failurecondition has occurred.
 7. The method according to claim 3, furthercomprising: rolling back the virtual machine and the storage array stateto a state corresponding to the snapshot image of the virtual machineand the storage array state in response to a failure in the system.
 8. Anon-transitory computer readable medium storing software for providingprior operation states of a virtual machine in a storage system havingat least one storage array, the software comprising: executable codethat determines that a trigger for taking a snapshot image of thevirtual machine and a snapshot of a storage array state has occurred,wherein the trigger includes a determination that a failure conditionhas occurred, and wherein the failure condition is a state that at leastone additional failure will result in a lack of resources to maintainoperation of the virtual machine; executable code that takes thesnapshot image of the virtual machine; executable code that takes thesnapshot of the storage array state; executable code that makes thesnapshot image of the virtual machine and the snapshot of the storagearray state available for subsequent access to rollback the virtualmachine and storage array state to a prior state.
 9. The non-transitorycomputer readable medium according to claim 8, wherein the softwarefurther comprises: executable code that rolls back the virtual machineand the storage array state to a state corresponding to the snapshotimage of the virtual machine and the storage array state in response toa failure in the system.
 10. A non-transitory computer readable mediumstoring software for providing prior operation states of a virtualmachine in a storage system having at least one storage array, thesoftware comprising: executable code that determines that a trigger fortaking a snapshot image of the virtual machine and a snapshot of astorage array state has occurred; executable code that takes thesnapshot image of the virtual machine; executable code that takes thesnapshot of the storage array state; executable code that makes thesnapshot image of the virtual machine and the snapshot of the storagearray state available for subsequent access to rollback the virtualmachine and storage array state to a prior state, wherein the snapshotimage of the virtual machine and the snapshot of the storage array statecorrespond to a write order fidelity processing state.
 11. Thenon-transitory computer readable medium according to claim 10, whereinthe trigger is initiated by a user.
 12. The non-transitory computerreadable medium according to claim 10, wherein the write order fidelityprocessing state is, for a set of data being transmitted from a firstsite to a second site, a state of the set of the data that istransmitted prior to the trigger and that includes at least some datathat is on the first site and the second site.
 13. The non-transitorycomputer readable medium according to claim 10, wherein the triggerincludes a determination that a failure condition has occurred.
 14. Thenon-transitory computer readable medium according to claim 10, whereinthe software further comprises: executable code that rolls back thevirtual machine and the storage array state to a state corresponding tothe snapshot image of the virtual machine and the storage array state inresponse to a failure in the system.
 15. An active/active system,comprising: a first site; a second site located remotely from the firstsite, wherein each of the first site and the second site including atleast one host cluster, at least one director cluster, and at least onestorage array; and a computer readable medium of at least one of: thehost cluster or the director cluster that stores software including:executable code that determines that a trigger for taking a snapshotimage of the virtual machine and a snapshot of a storage array state hasoccurred, wherein the trigger includes a determination that a failurecondition has occurred, and wherein the failure condition is a statethat at least one additional failure will result in a lack of resourcesto maintain operation of the virtual machine; executable code that takesthe snapshot image of the virtual machine; executable code that takesthe snapshot of the storage array state; executable code that makes thesnapshot image of the virtual machine and the snapshot of the storagearray state available for subsequent access to rollback the virtualmachine and storage array state to a prior state.
 16. The systemaccording to claim 15, wherein the software further comprises:executable code that rolls back the virtual machine and the storagearray state to a state corresponding to the snapshot image of thevirtual machine and the storage array state in response to a failure inthe system.
 17. An active-active system, comprising: a first site; asecond site located remotely from the first site, wherein each of thefirst site and the second site including at least one host cluster, atleast one director cluster, and at least one storage array; and acomputer readable medium of at least one of: the host cluster or thedirector cluster that stores software including: executable code thatdetermines that a trigger for taking a snapshot image of the virtualmachine and a snapshot of a storage array state has occurred; executablecode that takes the snapshot image of the virtual machine; executablecode that takes the snapshot of the storage array state; executable codethat makes the snapshot image of the virtual machine and the snapshot ofthe storage array state available for subsequent access to rollback thevirtual machine and storage array state to a prior state, wherein thesnapshot image of the virtual machine and the snapshot of the storagearray state correspond to a write order fidelity processing state. 18.The system according to claim 17, wherein the write order fidelityprocessing state is, for a set of data being transmitted from a firstsite to a second site, a state of the set of the data that istransmitted prior to the trigger and that includes at least some datathat is on the first site and the second site.
 19. The system accordingto claim 17, wherein the trigger includes a determination that a failurecondition has occurred.
 20. The system according to claim 17, whereinthe software further comprises: executable code that rolls back thevirtual machine and the storage array state to a state corresponding tothe snapshot image of the virtual machine and the storage array state inresponse to a failure in the system.